In Security Operations Centers (SOCs), the real challenge is not a lack of data—it is an excess of it.
Telemetry volumes continue to grow, alert counts rise, analyst headcount remains under pressure, and tool sprawl expands across the stack. As a result, the most expensive resource in the SOC—human attention—is consumed by repetitive triage activities rather than decision-making.

Sumo Logic’s Dojo AI is positioned precisely at this inflection point. Its core objective is to redistribute routine SOC workloads to purpose-built AI agents, allowing analysts to refocus on high-value tasks such as reasoning, investigation, and strategic response.

This article examines Dojo AI’s architectural approach, its agent model, and how it integrates into real SOC workflows—not as hype, but as an operationally viable framework.

What Is Dojo AI?

Not a Copilot, but a Multi-Agent SOC Workforce

Sumo Logic defines Dojo AI as an agentic AI system. Rather than acting as a black box that replaces analyst judgment, Dojo AI operates alongside analysts—handling repetitive tasks, providing contextual explanations, maintaining evidence trails, and guiding analysts toward the right questions and actions when needed.

The key distinction lies in its architecture. Instead of relying on a single AI copilot, Dojo AI adopts a multi-agent model, where each agent has a specialized responsibility:

• One agent summarizes incidents and insights

• Another translates natural language into optimized queries

• Another performs incident triage and maps activity to MITRE ATT&CK

• An orchestrator coordinates these agents in the correct sequence

This design directly addresses one of the SOC’s most persistent inefficiencies: excessive context switching.

Core Architecture: Mobot, Agents, and MCP Governance

Mobot: Conversational Interface and Orchestration Layer

Mobot serves as the primary interaction layer for analysts. It enables natural language access to data, triggers the appropriate agents, and accelerates investigation workflows. The primary value proposition is simple: reduce the distance between a question and an actionable insight.

Summary Agent: From Raw Insight to Actionable Context

When an Insight is generated, the Summary Agent explains why it was triggered, which signals matter, and where the analyst should focus. Instead of forcing analysts to sift through raw logs, it produces decision-ready context in seconds.

Query Agent: Translating Intent into Optimized Queries

The Query Agent reduces the cognitive load associated with writing and debugging queries. Analysts express intent in natural language, and the agent converts it into accurate, performant queries. This capability significantly accelerates productivity, particularly for junior analysts.

SOC Analyst Agent: Always-On Triage with Explainable Reasoning

The SOC Analyst Agent goes beyond recommendations by providing structured, step-by-step reasoning behind its conclusions. Its outputs include:

• A verdict with transparent explanation

• Threat intelligence correlation and automatic MITRE ATT&CK mapping

• Recommended severity classification

The operating principle is clear: AI-led investigation with humans in the loop. AI handles triage and analysis acceleration; humans retain final judgment and strategic control.

From a SOC leadership perspective, this design directly targets two critical KPIs: reducing alert fatigue and lowering mean time to resolution (MTTR).

Knowledge Agent: Operational Enablement Without Documentation Drag

Operational onboarding and platform management often suffer from time lost navigating documentation. The Knowledge Agent provides fast, referenceable answers to “how-to” questions directly through the conversational interface, reducing friction in day-to-day operations.

MCP (Model Context Protocol): Governance for Agent Interactions

A critical architectural element is the Model Context Protocol (MCP), which governs how agents interact with data, models, and external tools. This layer ensures that increased AI capability does not come at the expense of control, predictability, or security.

The Dojo AI SOC Workflow

Dojo AI follows a clear operational progression:

Insight → Summary → Query → Conversation

In practice, this means:

• The SIEM generates an Insight through detection or correlation

• The Summary Agent contextualizes what happened and why it matters

• The Query Agent enables targeted deep dives where needed

• Mobot facilitates an interactive, conversational investigation

The stated objective is ambitious but concrete: reducing tasks that previously took up to an hour per alert to a matter of minutes.

Real-World Scenarios Accelerated by Dojo AI

Dojo AI is designed around realistic SOC use cases rather than synthetic demos:

• Ransomware activity:
  Lateral movement anomalies are summarized and aligned with known ransomware behaviors, followed by pivot queries across additional network segments.

• Insider threat:
  Unusual file access patterns are contextualized against baseline behavior, with historical access analysis surfaced automatically.

• Cloud misconfiguration:
  Exposure risks are identified, contextualized, and validated against access logs to confirm misuse or benign behavior.

In all cases, AI is not generating exploits or simulating attacks—it is accelerating triage and contextual understanding.

Trust, Privacy, and Data Usage

When AI enters the SOC, one question inevitably follows: Is my data being used to train the model?

Sumo Logic explicitly states that customer data and personally identifiable information are not used for model training.
For certain machine learning capabilities—such as anomaly detection—a rolling data window is employed. For example, models may be built using a defined historical period, retrained on a regular cadence, and continuously discard older data.

Dojo AI is built on Amazon Bedrock and aligns with common compliance and assurance frameworks, including regulated-industry requirements. This transparency is often the deciding factor in moving proof-of-concept efforts into production, particularly in public sector and highly regulated environments.

Where the Operational Value Truly Breaks Through

Two elements distinguish the SOC Analyst Agent from traditional automation:

Explainable Reasoning with Evidence Trails

Rather than asking analysts to trust opaque decisions, the system explains how conclusions were reached—based on signals, entity history, and observed patterns—building analyst confidence rather than eroding it.

MITRE ATT&CK Mapping with Threat Intelligence Context

By framing incidents in terms of tactics and techniques rather than isolated log events, the system accelerates analyst comprehension and response prioritization.

It is also worth noting that the SOC Analyst Agent is currently available in a controlled release phase, with access coordinated through account teams.

A Practical POC Framework: Bringing Dojo AI into the SOC

To move beyond demo impact and toward operational value, a focused proof-of-concept should include:

1. Selecting two to three high-impact use cases

2. Defining clean, high-quality telemetry sources

3. Normalizing entities such as users, hosts, and cloud accounts

4. Calibrating Insights to prioritize signal over volume

5. Validating Summary Agent outputs for analyst readability

6. Verifying Query Agent accuracy and performance

7. Comparing AI-led and human-led triage outcomes

8. Integrating investigation runbooks

9. Enforcing governance through MCP boundaries

10. Measuring outcomes using MTTR, triage time, and false positive reduction

Conclusion: The Strategic Promise of Dojo AI

The message behind Dojo AI is clear: AI in the SOC should evolve beyond query assistance into a distributed workforce of specialized agents. When implemented with the right use cases and a strong telemetry foundation, the combination of Mobot, Summary, Query, and SOC Analyst Agents has the potential to reclaim analyst focus—the most valuable and constrained asset in security operations.